CVE-2024-21532

HIGH

NPM Ggit - OS Command Injection

Title source: rule

Description

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

Exploits (1)

nomisec WORKING POC

by lirantal · poc

https://github.com/lirantal/CVE-2024-21532-PoC-ggit

View Code ZIP pw:eip

References (3)

[Various Sources] https://gist.github.com/lirantal/d8f87b366d2078e6118ab7bf2b005f02

[Third Party Advisory] https://github.com/bahmutov/ggit/blob/2e85b0316d9c272e067dca5679d39e302f4cb9cd/README.md?plain=1#L3

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-GGIT-5731320

Scores

CVSS v3 7.3

EPSS 0.0049

EPSS Percentile 65.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-78

Status published

Products (2)

n/a/ggit

npm/ggit 0npm

Published Oct 08, 2024

Tracked Since Feb 18, 2026